Bug 1888031 - Permissions too restrictive on /var/run/opendmarc
Summary: Permissions too restrictive on /var/run/opendmarc
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: opendmarc
Version: epel8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-13 20:23 UTC by Graham Leggett
Modified: 2021-05-08 01:33 UTC (History)
0 users

Fixed In Version: opendmarc-1.4.0-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-05-08 01:33:45 UTC
Type: Bug

Attachments (Terms of Use)

Description Graham Leggett 2020-10-13 20:23:27 UTC
Description of problem:

The permissions are too restrictive on /var/run/opendmarc, only the opendmarc user and nobody else can read sockets in this directory:

[root@gatekeeper opendmarc]# ls -al /run/opendmarc/
total 0
drwx------.  2 opendmarc opendmarc   40 Oct 13 17:18 .
drwxr-xr-x. 37 root      root      1020 Oct 13 17:19 ..
[root@gatekeeper opendmarc]# rpm -q -f /run/opendmarc/

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install opendmarc on epel8.

Actual results:

/var/run/opendmarc/ inaccessible.

Expected results:

/var/run/opendmarc/ accessible to members of opendmarc group.

Additional info:

Comment 1 Graham Leggett 2021-01-10 16:24:43 UTC
Just hit this again, we have a DoS on every update.

Any news?

Comment 3 Tomas Korbar 2021-02-22 08:24:40 UTC
Hi Graham,
unfortunately i do not have time to maintain Opendmarc.
The package is now orphaned. If you are a maintainer then
please consider taking it.


Comment 4 Fedora Admin user for bugzilla script actions 2021-02-25 00:08:45 UTC
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 5 Graham Leggett 2021-03-07 13:08:45 UTC
I am not a maintainer but am happy to become one - are you in a position to hold my hand through the process or pass me on to someone who is?

Comment 6 Kevin Fenzi 2021-03-07 23:20:28 UTC
Hey Graham. I just took this package because I use it... I'd be very happy to have someone else work on it. :) 

Can you look at doing a pull request for it for rawhide? (You will need to use https to push/pull your fork on src.fedoraproject.org until you are a packager, see https://fedoraproject.org/wiki/Infrastructure/HTTPS-commits )

There's a number of issues outstanding. This issue, the version to fix some cve's, etc. 

Feel free to drop me email or ask me here if you have any questions on process, etc. 

If we can get things working well in rawhide, I can add you to packagers and you can update the other branches? Sound reasonable?

Comment 7 Graham Leggett 2021-03-26 13:35:55 UTC
This specific PR is the rawhide patch: https://src.fedoraproject.org/rpms/opendmarc/pull-request/2

Am I understanding correctly that we apply to rawhide first, and if people are happy, backport as appropriate?

Comment 8 Kevin Fenzi 2021-04-25 18:50:28 UTC
So, I ended up changing a bunch of things in the packaging here and moving to 1.4.0 upstream (they are becoming more active again on gihutb now). 

Can I get folks to test?

rawhide/f35: http://koji.fedoraproject.org/koji/taskinfo?taskID=66668437
f34: http://koji.fedoraproject.org/koji/taskinfo?taskID=66668626
f33: http://koji.fedoraproject.org/koji/taskinfo?taskID=66668868
f32: http://koji.fedoraproject.org/koji/taskinfo?taskID=66668906
epel8: http://koji.fedoraproject.org/koji/taskinfo?taskID=66668617
epel7: http://koji.fedoraproject.org/koji/taskinfo?taskID=66669466

I'll probibly push this to rawhide later today and see about pushing other releases based on feedback. 

Graham: I am going to close your PR's... I took that into the changes I made, so I'll close the ones on the interface. Many thanks tho... 
If you are still interested in co-maintaining happy to arrange that... these 1.4.0 changes were kind of difficult. Perhaps upstream will be better moving forward now that they are moving to github, etc.

Comment 9 Fedora Update System 2021-04-29 20:46:16 UTC
FEDORA-2021-c1b846164e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c1b846164e

Comment 10 Fedora Update System 2021-04-30 01:43:05 UTC
FEDORA-2021-c1b846164e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c1b846164e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c1b846164e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2021-05-08 01:33:45 UTC
FEDORA-2021-c1b846164e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.